If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Threaded View

Turning a Sharp Zaurus into a penetration tool

Turning a Sharp Zaurus into a penetration tool

This tutorial will show you how to get various poular security tools running on the Sharp Zaurus PDS. I have a strong interest in the topic of computer security and love futzing around with technology. Most of the best network security and penetration testing tools are made for *nix environments, so when I heard about the Sharp Zaurus PDA that ran Linux out of the box it tweaked my interest. The Zaurus makes for a great hacking tool, the price on the older 5500 keeps dropping (I got mine with a WiFi card and a modem for about $200 off Ebay). The following are some of the security tools I have running on my Zaurus 5500, the hoops I had to jump through to install them, and some information on how to use them. While my testing environment is a Zaurus 5500 running OpenZaurus a lot of this information should also apply to other Zaurus models and to Ipaqs and Axims running some kind of ARM Linux. I had a devil of a time installing some of these apps so I hope this website of my notes helps. If you just want a PDA I would urge you to buy a Pocket PC or a Palm, but if you like Linux and Networking definitely go for A Zaurus. If any of the information on this page becomes out of date please email me at Irongeek@irongeek.com or leave a message in my tech forum and let me know so I can update it.

The OpenZaurus ROM gives you more options than the Sharp ROM, and it's said that they have better hardware support. It's fairly easy to install, just copy the root file system (initrd.bin) and kernel (zImage) you want to a CF card and hit the hard reset button while holding down C and D on the keyboard (if you have big paws it can me tuff). See the install GUIde here http://www.openzaurus.org/oz_website...t/installGUIde . I went with OZ 3.3.6 because it was easier to get Wellenreiter II working out of the box then with some of OpenZaurus' more tested ROMS. You can add packages by put them on an SD/CF card and using the packages app or the ipkg command line tool. The packages tool also has a way to install IPKs from the website. Many of the following apps will need LibPcap to function. Before you install any of the Packages I have mirrored please check in the directories ( http://www.openzaurus.org/official/ ) at the OpenZarus site to see if there are any newer versions available. One downside to OZ 3.3.6-pre1-gcc3 is that it was built with gcc 3.3.2 which means you will need the compatibility libraries from http://www.mithis.com/zaurus/ipkgs/ (my mirror is here). You will know when you have a compatibility problem when you get an error like "undefined symbol: _7QString.shared_null". The GUI tool that comes with the compatibility libraries does not always seem to work so what I do is edit the .desktop files and add "runcompat" in front of whatever the exec= line points to (see my example in the Zethereal section). Update 3/15/2004: Tim Ansell (aka Mithro) of the OZ-compat project sent me the following notes that might help you with GCC compatibility problems:

Hi!
I was reading your oz-compat pages (as I like to look at how people are using my packages) and found the following information:
"The GUI tool that comes with the compatibility libraries does not always seem to work so what I do is edit the .desktop files and add "runcompat"
in front of whatever the exec= line points to (see my example in the Zethereal section). "
There is actually a better way to do this, if you go to the console and do a "makecompat &lt;binary&gt;" it will link up that binary to the compat libs.
I would also like to know more information on where that script fails so I can fix it
I really need to do a quick C++ application instead of being horrible dependent on the old and unmaintained opie-sh. (I plan to eventually rework and replace opie-sh with a better opie-sh
Anyway I thought i would just inform you of this
Thanks
Tim aka Mithro

Some general tips:
1. Make sure you have a good text editor like Nano installed so you can edit system files, the text editor from the GUI is flaky as hell.
2. The first thing you you should do after installing OZ is give the root account a password using the passwd command.
3. Fn-C acts as Ctrl-C would on the desktop.
4. Make sure you have a good SSH and SFTP program on you box. In Windows I use Putty for SSH and FileZilla for SFTPing files. I use EditPad Lite for editing system files on my Windows box, it does not screw up Unix style line feeds.
5. Keep the backlight low to extend battery life and have suspend mode only turn of the LCD when you are wardriving.
6. Space is limited, get yourself an SD card to log information to.
7. Install LibPcap, almost all of these apps will need it.

Change your MAC Address

Here is how to change you MAC address in OpenZaurus. Iuse these two commands:

Code:

ifconfig wlan0 down hw ether 0:0a:0a:a0:a0:a0
ifconfig wlan0 up

This would set you wlan0 interface to use the MAC 0:0a:0a:a0:a0:a0. This could be useful for sniffing other connections or for bypassing MAC address restrictions on an Access Point (find valid MAC addresses by sniffing them). It also makes it less traceable to your hardware.

When you first run it give it about 5 seconds so it will pop up the message about killing the DHCP client, once DHCP is killed it works a lot better.
Update 3/05/2004:

Mark Lachniet wrote me with the following advices, apparently if you run Wellenreiter II from an SD card it can cause problems with the GUI. Here's his advice:

I un-installed from my SD card and re-installed on RAM. It looks like this fixed the problem - its very responsive and doesnt crash OPIE any more. Apparently the SD card was too slow to handle some kind of program data caching, etc. That might be worth a FYI on your web page.

If you install version 2.8 it's pretty easy. To run it go into Konsole and type:

Code:

kismet_monitor
kismet

Hit the "h" key while it is running to bring up help. A dump of information is kept in /root/ for you to look at later if you want.

Ver 3.1

To run the newer version it gets a little more complicated. First you must install version 3.1. Once you have installed Kismet overwrite the old kismet.conf (/mnt/ram/usr/local/etc/kismet.conf , it could be in a different path depending on where you installed it) with mine kismet.conf. Basically all I did was tell it to use hostap and turn off the GPS functionality, you may have to make some changes if you don't use a Prism based card (look for the "source=" setting).

I like to use the ncurses interface, but If you want to use Kismet-qt you will have to set it up so that it uses the compatibility libraries (see my entry on Zethereal). It's easy enough to do, just install the compatibility libraries and Kismet-qt then edit the desktop file:

Zethereal is Ethereal for the Zaurus. It's a good little sniffer/protocol analyzer. All the binaries I've found for it are compiled with the old gcc so you will have to use the compatibility libraries. Make sure you have installed LibPcap then install the ipk in my mirror (provided by Dan L). You will also need to install libglib (my mirror of libglib, boosted from Debian) and do some symlinking to get it toy work, I installed it from the SD card as follows:

I found that you can get the Debian ARM packages to work on the Zaurus if you just rename them with a .ipk on the end. Make sure you have installed LibPcap. To install you will have to force dependences and symlink as follows (your paths may vary, I installed Ettercap off of an SD card):

(Pics on website listed at the bottom of the tutorial) The first pic shows the use of the flags needed to do a password capture with the IP base sniffing method in command line mode. To see it in its non command line mode (2nd pic) make sure you turn off wrapping under the Options menu of Konsole and that the onscreen keyboard is not up, otherwise you get an error like "Screen must be at least 25x80 !!". If you get an error about not being able to find etter.ssl.crt make sure you ran the symlink command above. I'm still having problem getting it to do IP forwarding, even if I do a:

Code:

echo 1 &gt; /proc/sys/net/ipv4/ip_forward

I'll try to let you know more when I get more time for testing, it may just be that it does not work with WI-Fi (I have a 10/100 Ethernet card on the way for testing). For the time being when it arpspoofs the two host it kills all communications between them. If Ettercap trys to sniff the USB connection (which is most likely not what you want) make sure you specify what interface to use with the "-i" option:

Code:

ettercap -i wlan0

If Ettercap loads too slowly because of host name resolution just turn it of using the "-d" option.

Update 2/6/04: Ok, after testing it with a 10/100 Ethernet card Ettercap still does not work for catching passwords, must be something Zaurus specific because I got the package from Debian and I'm sure they tested it on other ARM platforms. For right now Ettercap on the Zaurus is only good for fingerprinting computers and for killing their net access (packet forwarding does not seem to work). I'll have to try the Dsniff package to see if I can get it to work better.

Ngrep is basically Grep for network packets. It has a lot of filter options so check out the webpage for all of the options. The link above is to a binary, copy it to some place like /mnt/ram/usr/bin/ and symlink it to someplace in your path ( ln -s /mnt/ram/usr/bin/ngrep /bin/ngrep). If you want to save the information instead of show it on the screen use a command like:

Once again, an older version of nmap but still good pretty good. I need to see if I can compile a newer version. Nmap is a command line tool but the qpenmap front end makes it easier to use. Try entering something like 192.168.*.* to scan a whole range of IPs. The only version I have found that has be directly ported is 3.27, but you can get the newer Debian ARM packages to work by downloading them from here http://tux.ius.edu/zaurus/nmap/nmap3.50-1/ and following these instructions to install them:

-P0 Don't ping first, this is useful because a lot of hosts turn of ICMP echo requests anymore.
-O Do an OS detection
-e Specify and interface (eth0, wlan0, etc)
-sV Version scan, find out the version of a service that is running

Nemesis is packet injection utility. It allows you to spoof other hosts and generally cause confusion on the network. I just took the Debian ARM packages and renamed them with a .ipk on the end. The package comes with the following utilitys:

it would make it look as if Microsoft.com was attacking the target host. Here is a example of a script I wrote that can be used to make it look like another host is doing a port scan:
frame.sh (just copy the content below)